Security applications such as intrusion detection systems (IDS) or intrusion prevention systems (IPS) utilize scanning parameterization. Scanning parameterization involves using certain information such as port and protocol information for a network flow to identify the specific scanning parameters and subset of signatures that should be applied to the flow. If an application simply scans every flow for every possible signature, it will have slow performance. If the application is able to apply only a small subset of signatures to a given flow using the most appropriate scanning algorithm, performance can be improved. Scanning parameters specified for a typical TCP/IP based IDS/IPS system may include the amount of the flow to scan; the offsets within the flow's stream and/or packets that should be scrutinized for signatures; the subset of general purpose signatures that should be searched for; and the scanning algorithm that should be used on each flow.
Scanning parameterization is typically done using the protocol tuple: {source port, destination port, protocol}. Given a set of rules that specify scanning parameters and refer to “S” number of unique source ports and “D” number of unique destination ports, parameterization may result in up to S×D number of parameterized rule sets for a complete set of protcols. As the number of source ports and destination ports increases, a large number of parameterized rule sets may be generated, requiring additional system storage resources. Other transmission data may also be used to parameterize rules and rules may specify more than one protocol, also resulting in many parameterized rule sets. A solution for scanning parameterization resulting in fewer parameterized rule sets would be useful.